From 997580b57e6857005f1096b42ea1084fa25a058d Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Wed, 16 Aug 2023 20:09:04 -0500 Subject: [PATCH 01/42] adds the trust policy, the role, a readme to include some comments about the json files --- eksk8s/README.MD | 18 +++++++ eksk8s/cluster-config.yaml | 31 ++++++++++++ eksk8s/eks-cluster-policy.json | 17 +++++++ eksk8s/eks-cluster-trust-policy.json | 13 +++++ eksk8s/eks-nodegroup-policy.json | 70 ++++++++++++++++++++++++++ eksk8s/eks-nodegroup-trust-policy.json | 20 ++++++++ 6 files changed, 169 insertions(+) create mode 100644 eksk8s/README.MD create mode 100644 eksk8s/cluster-config.yaml create mode 100644 eksk8s/eks-cluster-policy.json create mode 100644 eksk8s/eks-cluster-trust-policy.json create mode 100644 eksk8s/eks-nodegroup-policy.json create mode 100644 eksk8s/eks-nodegroup-trust-policy.json diff --git a/eksk8s/README.MD b/eksk8s/README.MD new file mode 100644 index 0000000000..7b31fe8904 --- /dev/null +++ b/eksk8s/README.MD @@ -0,0 +1,18 @@ +With regard to the file eks-cluster-policy.json: + +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "eks:CreateCluster", + "eks:DescribeCluster", + "eks:UpdateClusterConfig", + "eks:UpdateClusterVersion", + "ssm:GetParameters" + ], + "Resource": "*" // * means that the already defined actions could be applied to any EKS cluster in the account + } + ] +} \ No newline at end of file diff --git a/eksk8s/cluster-config.yaml b/eksk8s/cluster-config.yaml new file mode 100644 index 0000000000..d5e3b13710 --- /dev/null +++ b/eksk8s/cluster-config.yaml @@ -0,0 +1,31 @@ +apiVersion: eksctl.io/v1alpha5 +kind: ClusterConfig + +metadata: + name: eks-cluster + region: us-west-1 + +vpc: + id: vpc-04e8935eb17607398 + subnets: + public: + us-west-1a: + id: subnet-08375f54b10ac81a2 + us-west-1b: + id: subnet-0a8eea0bb2b8bd056 + clusterEndpoints: + publicAccess: true + securityGroup: sg-074fc7db95c8a8141 + +nodeGroups: + - name: eks-nodegroup + iam: + instanceRoleARN: arn:aws:iam::621328949821:role/eks-nodegroup-role + instanceType: t2.micro + desiredCapacity: 2 + ssh: + allow: true + publicKeyPath: ~/.ssh/k8s.pub + subnets: + - subnet-08375f54b10ac81a2 + - subnet-0a8eea0bb2b8bd056 diff --git a/eksk8s/eks-cluster-policy.json b/eksk8s/eks-cluster-policy.json new file mode 100644 index 0000000000..b6d34dc2fc --- /dev/null +++ b/eksk8s/eks-cluster-policy.json @@ -0,0 +1,17 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "eks:CreateCluster", + "eks:DescribeCluster", + "eks:UpdateClusterConfig", + "eks:UpdateClusterVersion", + "ssm:GetParameters" + ], + "Resource": "*" + } + ] +} + diff --git a/eksk8s/eks-cluster-trust-policy.json b/eksk8s/eks-cluster-trust-policy.json new file mode 100644 index 0000000000..fd952e62a2 --- /dev/null +++ b/eksk8s/eks-cluster-trust-policy.json @@ -0,0 +1,13 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "eks.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] +} + diff --git a/eksk8s/eks-nodegroup-policy.json b/eksk8s/eks-nodegroup-policy.json new file mode 100644 index 0000000000..f0c52c1e56 --- /dev/null +++ b/eksk8s/eks-nodegroup-policy.json @@ -0,0 +1,70 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:UnassignPrivateIpAddresses", + "ec2:AssignPrivateIpAddresses", + "ecr:GetAuthorizationToken", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:DescribeInstances", + "ec2:AssociateRouteTable", + "ec2:DeleteVolume", + "logs:CreateLogStream", + "eks:DescribeNodegroup", + "autoscaling:DescribeAutoScalingGroups", + "ec2:CreateRoute", + "ec2:DescribeVolumes", + "ec2:DescribeRouteTables", + "ecr:BatchCheckLayerAvailability", + "ec2:DetachVolume", + "ec2:ModifyVolume", + "eks:ListNodegroups", + "ec2:CreateTags", + "autoscaling:DescribeTags", + "ecr:GetDownloadUrlForLayer", + "ec2:CreateRouteTable", + "ec2:RunInstances", + "ec2:DisassociateRouteTable", + "logs:CreateLogGroup", + "ec2:CreateVolume", + "ecr:PutImage", + "eks:DeleteNodegroup", + "ecr:BatchGetImage", + "eks:UpdateNodegroupConfig", + "ec2:DescribeSubnets", + "ecr:InitiateLayerUpload", + "ec2:AttachVolume", + "ec2:DeleteTags", + "logs:DescribeLogStreams", + "autoscaling:DescribeLaunchConfigurations", + "ecr:UploadLayerPart", + "ecr:ListImages", + "iam:PassRole", + "ec2:CreateNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DeleteNetworkInterface", + "ec2:CreateSecurityGroup", + "ec2:DetachNetworkInterface", + "ec2:ModifyNetworkInterfaceAttribute", + "ec2:AttachNetworkInterface", + "ecr:CompleteLayerUpload", + "ecr:DescribeRepositories", + "ec2:ModifyInstanceAttribute", + "ec2:RebootInstances", + "ec2:TerminateInstances", + "logs:DescribeLogGroups", + "ec2:DeleteRoute", + "eks:CreateNodegroup", + "logs:PutLogEvents", + "ec2:DescribeSecurityGroups", + "ec2:DeleteSecurityGroup", + "ecr:GetRepositoryPolicy" + + ], + "Resource": "*" + } + ] +} + diff --git a/eksk8s/eks-nodegroup-trust-policy.json b/eksk8s/eks-nodegroup-trust-policy.json new file mode 100644 index 0000000000..418fd594ff --- /dev/null +++ b/eksk8s/eks-nodegroup-trust-policy.json @@ -0,0 +1,20 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "ec2.amazonaws.com" + }, + "Action": "sts:AssumeRole" + }, + { + "Effect": "Allow", + "Principal": { + "Service": "eks.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] +} + From 706fbd69d0fd9b4add4125f6401886bffcfcbfa7 Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Wed, 16 Aug 2023 20:12:44 -0500 Subject: [PATCH 02/42] removes github directory from the gitignore file in order to use github actions to create the infra and perform other tasks --- .gitignore | 1 - 1 file changed, 1 deletion(-) diff --git a/.gitignore b/.gitignore index 9500e81546..87d03a0ad5 100644 --- a/.gitignore +++ b/.gitignore @@ -28,4 +28,3 @@ htmlcov/ .envrc .direnv -.github/** From 4869c36df8b478355a51597e0fa42ea062a019bb Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Wed, 16 Aug 2023 20:14:09 -0500 Subject: [PATCH 03/42] creates the cv-eks-cluster-role role using githubactions to avoid doing manually everytime --- .github/workflows/cv-infrastructure.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 .github/workflows/cv-infrastructure.yml diff --git a/.github/workflows/cv-infrastructure.yml b/.github/workflows/cv-infrastructure.yml new file mode 100644 index 0000000000..c7946c5c47 --- /dev/null +++ b/.github/workflows/cv-infrastructure.yml @@ -0,0 +1,20 @@ +name: Create AWS infrastructure +on: + push: + branches: + - master +jobs: + setup: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Create the role for the trust policy + uses: aws-actions/aws-cli@v2 + with: + args: aws iam create-role --role-name cv-eks-cluster-role --assume-role-policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-cluster-trust-policy.json + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + From 1c19650278c733459add4a3f7ca8570df85a9769 Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Wed, 16 Aug 2023 20:23:39 -0500 Subject: [PATCH 04/42] removes action not found --- .github/workflows/cv-infrastructure.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/cv-infrastructure.yml b/.github/workflows/cv-infrastructure.yml index c7946c5c47..9d5ef37128 100644 --- a/.github/workflows/cv-infrastructure.yml +++ b/.github/workflows/cv-infrastructure.yml @@ -11,9 +11,7 @@ jobs: uses: actions/checkout@v2 - name: Create the role for the trust policy - uses: aws-actions/aws-cli@v2 - with: - args: aws iam create-role --role-name cv-eks-cluster-role --assume-role-policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-cluster-trust-policy.json + run: aws iam create-role --role-name cv-eks-cluster-role --assume-role-policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-cluster-trust-policy.json env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} From 73a5482c76d51ce8eeea136eec66c2e23ea71d0c Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Wed, 16 Aug 2023 20:23:39 -0500 Subject: [PATCH 05/42] removes action not found --- .github/workflows/cv-infrastructure.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cv-infrastructure.yml b/.github/workflows/cv-infrastructure.yml index 9d5ef37128..569bcec586 100644 --- a/.github/workflows/cv-infrastructure.yml +++ b/.github/workflows/cv-infrastructure.yml @@ -4,11 +4,11 @@ on: branches: - master jobs: - setup: + setup_aws_credentials: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3.5.3 - name: Create the role for the trust policy run: aws iam create-role --role-name cv-eks-cluster-role --assume-role-policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-cluster-trust-policy.json From 8ddc0d14135aed5bd26f49bfee0014b0e5b793ce Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Wed, 16 Aug 2023 20:30:41 -0500 Subject: [PATCH 06/42] adds aws-default-region since This is a problem with awscli trying to detect the region and failing when run in certain virtualised environments and to fix it I needed to specify the region manually. --- .github/workflows/cv-infrastructure.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/cv-infrastructure.yml b/.github/workflows/cv-infrastructure.yml index 569bcec586..795ab05ece 100644 --- a/.github/workflows/cv-infrastructure.yml +++ b/.github/workflows/cv-infrastructure.yml @@ -15,4 +15,5 @@ jobs: env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + AWS_DEFAULT_REGION: us-west-1 From 96b2c13c1132b148c565270a841fb59a22265f0e Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Wed, 16 Aug 2023 20:35:06 -0500 Subject: [PATCH 07/42] adds aws configure command rather than aws iam create-role directly --- .github/workflows/cv-infrastructure.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/workflows/cv-infrastructure.yml b/.github/workflows/cv-infrastructure.yml index 795ab05ece..e3e2822e95 100644 --- a/.github/workflows/cv-infrastructure.yml +++ b/.github/workflows/cv-infrastructure.yml @@ -9,11 +9,13 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v3.5.3 - + + - name: Setup AWS credentials + run: | + aws configure set aws_access_key_id ${{ secrets.AWS_ACCESS_KEY_ID }} + aws configure set aws_secret_access_key ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws configure set default.region us-west-1 + - name: Create the role for the trust policy run: aws iam create-role --role-name cv-eks-cluster-role --assume-role-policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-cluster-trust-policy.json - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - AWS_DEFAULT_REGION: us-west-1 From f7a4308f161c1dec19c7168e5505dc9c06caa7ad Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Fri, 18 Aug 2023 08:04:51 -0500 Subject: [PATCH 08/42] uses env to get the secrets and use them in aws configure --- .github/workflows/cv-infrastructure.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cv-infrastructure.yml b/.github/workflows/cv-infrastructure.yml index e3e2822e95..af6a24478e 100644 --- a/.github/workflows/cv-infrastructure.yml +++ b/.github/workflows/cv-infrastructure.yml @@ -11,9 +11,12 @@ jobs: uses: actions/checkout@v3.5.3 - name: Setup AWS credentials + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} run: | - aws configure set aws_access_key_id ${{ secrets.AWS_ACCESS_KEY_ID }} - aws configure set aws_secret_access_key ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID + aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY aws configure set default.region us-west-1 - name: Create the role for the trust policy From aae39afcbb433f6309ebc88f6336c46e7a265101 Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Fri, 18 Aug 2023 08:06:12 -0500 Subject: [PATCH 09/42] uses echo to check values --- .github/workflows/cv-infrastructure.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/cv-infrastructure.yml b/.github/workflows/cv-infrastructure.yml index af6a24478e..be5492b0d6 100644 --- a/.github/workflows/cv-infrastructure.yml +++ b/.github/workflows/cv-infrastructure.yml @@ -15,6 +15,8 @@ jobs: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} run: | + echo ${{ secrets.AWS_ACCESS_KEY_ID }} + echo $AWS_ACCESS_KEY_ID aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY aws configure set default.region us-west-1 From bbc0f8ce920dcfa7ed91a4c562717c32bafeaafb Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Fri, 18 Aug 2023 08:13:16 -0500 Subject: [PATCH 10/42] uses DEVELOP as part of the env variable in order to retrieve the secrets --- .github/workflows/cv-infrastructure.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cv-infrastructure.yml b/.github/workflows/cv-infrastructure.yml index be5492b0d6..1eec0c0ed5 100644 --- a/.github/workflows/cv-infrastructure.yml +++ b/.github/workflows/cv-infrastructure.yml @@ -12,8 +12,8 @@ jobs: - name: Setup AWS credentials env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + AWS_ACCESS_KEY_ID: ${{ secrets.DEVELOP_AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.DEVELOP_AWS_SECRET_ACCESS_KEY }} run: | echo ${{ secrets.AWS_ACCESS_KEY_ID }} echo $AWS_ACCESS_KEY_ID From 20ef11813966ad1530f25aea44fd776d539278dc Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Fri, 18 Aug 2023 08:14:55 -0500 Subject: [PATCH 11/42] removes unnecesary echo --- .github/workflows/cv-infrastructure.yml | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/.github/workflows/cv-infrastructure.yml b/.github/workflows/cv-infrastructure.yml index 1eec0c0ed5..0ed1dcc645 100644 --- a/.github/workflows/cv-infrastructure.yml +++ b/.github/workflows/cv-infrastructure.yml @@ -11,14 +11,10 @@ jobs: uses: actions/checkout@v3.5.3 - name: Setup AWS credentials - env: - AWS_ACCESS_KEY_ID: ${{ secrets.DEVELOP_AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.DEVELOP_AWS_SECRET_ACCESS_KEY }} run: | - echo ${{ secrets.AWS_ACCESS_KEY_ID }} - echo $AWS_ACCESS_KEY_ID - aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID - aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY + echo ${{ secrets.DEVELOP_AWS_ACCESS_KEY_ID }} + aws configure set aws_access_key_id ${{ secrets.DEVELOP_AWS_ACCESS_KEY_ID }} + aws configure set aws_secret_access_key ${{ secrets.DEVELOP_AWS_SECRET_ACCESS_KEY }} aws configure set default.region us-west-1 - name: Create the role for the trust policy From 38887d59fe82fb52fc9416cc652d42d4a8c8afb2 Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Fri, 18 Aug 2023 08:19:35 -0500 Subject: [PATCH 12/42] uses env to validate the secrets available --- .github/workflows/cv-infrastructure.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/cv-infrastructure.yml b/.github/workflows/cv-infrastructure.yml index 0ed1dcc645..ecfa66def3 100644 --- a/.github/workflows/cv-infrastructure.yml +++ b/.github/workflows/cv-infrastructure.yml @@ -12,7 +12,8 @@ jobs: - name: Setup AWS credentials run: | - echo ${{ secrets.DEVELOP_AWS_ACCESS_KEY_ID }} + echo Available secrets + env aws configure set aws_access_key_id ${{ secrets.DEVELOP_AWS_ACCESS_KEY_ID }} aws configure set aws_secret_access_key ${{ secrets.DEVELOP_AWS_SECRET_ACCESS_KEY }} aws configure set default.region us-west-1 From 5cdc4b35e529ee6f7742894062569ba95e331947 Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Fri, 18 Aug 2023 08:26:32 -0500 Subject: [PATCH 13/42] uses env to validate the secrets available --- .github/workflows/cv-infrastructure.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/cv-infrastructure.yml b/.github/workflows/cv-infrastructure.yml index ecfa66def3..e9ec352310 100644 --- a/.github/workflows/cv-infrastructure.yml +++ b/.github/workflows/cv-infrastructure.yml @@ -11,8 +11,10 @@ jobs: uses: actions/checkout@v3.5.3 - name: Setup AWS credentials + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} run: | - echo Available secrets env aws configure set aws_access_key_id ${{ secrets.DEVELOP_AWS_ACCESS_KEY_ID }} aws configure set aws_secret_access_key ${{ secrets.DEVELOP_AWS_SECRET_ACCESS_KEY }} From 8088326cc06b5a40fe2494971629ab9087dc1577 Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Fri, 18 Aug 2023 08:37:32 -0500 Subject: [PATCH 14/42] adds enviroment o define the environment --- .github/workflows/cv-infrastructure.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/cv-infrastructure.yml b/.github/workflows/cv-infrastructure.yml index e9ec352310..3de53f97b1 100644 --- a/.github/workflows/cv-infrastructure.yml +++ b/.github/workflows/cv-infrastructure.yml @@ -6,6 +6,8 @@ on: jobs: setup_aws_credentials: runs-on: ubuntu-latest + environment: + name: develop steps: - name: Checkout code uses: actions/checkout@v3.5.3 From faed0ad5135a90a451e2831f3c69e3021d0dc62f Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Fri, 18 Aug 2023 08:39:15 -0500 Subject: [PATCH 15/42] uses env variables to pass secrets to ther aws configure command --- .github/workflows/cv-infrastructure.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cv-infrastructure.yml b/.github/workflows/cv-infrastructure.yml index 3de53f97b1..c09457124d 100644 --- a/.github/workflows/cv-infrastructure.yml +++ b/.github/workflows/cv-infrastructure.yml @@ -17,9 +17,8 @@ jobs: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} run: | - env - aws configure set aws_access_key_id ${{ secrets.DEVELOP_AWS_ACCESS_KEY_ID }} - aws configure set aws_secret_access_key ${{ secrets.DEVELOP_AWS_SECRET_ACCESS_KEY }} + aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID} + aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY} aws configure set default.region us-west-1 - name: Create the role for the trust policy From b0f29b4991ab2df0c9a5e98c7c337c1ae67905c9 Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Fri, 18 Aug 2023 12:23:32 -0500 Subject: [PATCH 16/42] checks if the credentials file was created --- .github/workflows/cv-infrastructure.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/cv-infrastructure.yml b/.github/workflows/cv-infrastructure.yml index c09457124d..a8f8988ba1 100644 --- a/.github/workflows/cv-infrastructure.yml +++ b/.github/workflows/cv-infrastructure.yml @@ -17,6 +17,7 @@ jobs: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} run: | + cat $HOME/.aws/credentials aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID} aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY} aws configure set default.region us-west-1 From 9e1e8b59037973d2f4bbaaae47bafa80cdc371ab Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Fri, 18 Aug 2023 12:30:06 -0500 Subject: [PATCH 17/42] checks if the credentials file was created --- .github/workflows/cv-infrastructure.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cv-infrastructure.yml b/.github/workflows/cv-infrastructure.yml index a8f8988ba1..ed3408e097 100644 --- a/.github/workflows/cv-infrastructure.yml +++ b/.github/workflows/cv-infrastructure.yml @@ -17,10 +17,10 @@ jobs: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} run: | - cat $HOME/.aws/credentials aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID} aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY} aws configure set default.region us-west-1 + cat $HOME/.aws/credentials - name: Create the role for the trust policy run: aws iam create-role --role-name cv-eks-cluster-role --assume-role-policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-cluster-trust-policy.json From 18202a89ff97a28e375e3928b6c86e193e3b9a68 Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Fri, 18 Aug 2023 12:31:46 -0500 Subject: [PATCH 18/42] checks if the credentials file was created --- .github/workflows/cv-infrastructure.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cv-infrastructure.yml b/.github/workflows/cv-infrastructure.yml index ed3408e097..cdbd12e03e 100644 --- a/.github/workflows/cv-infrastructure.yml +++ b/.github/workflows/cv-infrastructure.yml @@ -20,8 +20,9 @@ jobs: aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID} aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY} aws configure set default.region us-west-1 - cat $HOME/.aws/credentials - name: Create the role for the trust policy - run: aws iam create-role --role-name cv-eks-cluster-role --assume-role-policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-cluster-trust-policy.json + run: | + cat $HOME/.aws/credentials + aws iam create-role --role-name cv-eks-cluster-role --assume-role-policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-cluster-trust-policy.json From a09fa5b091539e7ba84f1c7d9dfafaf7e8a44b7e Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Fri, 18 Aug 2023 12:35:22 -0500 Subject: [PATCH 19/42] adds region to the command and validates the creds to execute commands --- .github/workflows/cv-infrastructure.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cv-infrastructure.yml b/.github/workflows/cv-infrastructure.yml index cdbd12e03e..5a98e55aed 100644 --- a/.github/workflows/cv-infrastructure.yml +++ b/.github/workflows/cv-infrastructure.yml @@ -23,6 +23,6 @@ jobs: - name: Create the role for the trust policy run: | - cat $HOME/.aws/credentials - aws iam create-role --role-name cv-eks-cluster-role --assume-role-policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-cluster-trust-policy.json + aws sts get-caller-identity + aws iam create-role --role-name cv-eks-cluster-role --assume-role-policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-cluster-trust-policy.json --region us-west-1 From 86cc2a07f9719095cc6e9130ef04f9998ac07fa7 Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Fri, 18 Aug 2023 12:55:23 -0500 Subject: [PATCH 20/42] adds region to the command and validates the creds to execute commands --- .github/workflows/cv-infrastructure.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/cv-infrastructure.yml b/.github/workflows/cv-infrastructure.yml index 5a98e55aed..58a2080e97 100644 --- a/.github/workflows/cv-infrastructure.yml +++ b/.github/workflows/cv-infrastructure.yml @@ -24,5 +24,6 @@ jobs: - name: Create the role for the trust policy run: | aws sts get-caller-identity + cat ${GITHUB_WORKSPACE}/eksk8s/eks-cluster-trust-policy.json aws iam create-role --role-name cv-eks-cluster-role --assume-role-policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-cluster-trust-policy.json --region us-west-1 From 22535eed83c46d45c2c6ac18df1fed6b75ca41df Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Fri, 18 Aug 2023 12:57:00 -0500 Subject: [PATCH 21/42] adds region to the command and validates the creds to execute commands --- .github/workflows/cv-infrastructure.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cv-infrastructure.yml b/.github/workflows/cv-infrastructure.yml index 58a2080e97..428771eba1 100644 --- a/.github/workflows/cv-infrastructure.yml +++ b/.github/workflows/cv-infrastructure.yml @@ -23,7 +23,7 @@ jobs: - name: Create the role for the trust policy run: | - aws sts get-caller-identity + env cat ${GITHUB_WORKSPACE}/eksk8s/eks-cluster-trust-policy.json - aws iam create-role --role-name cv-eks-cluster-role --assume-role-policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-cluster-trust-policy.json --region us-west-1 + aws iam create-role --role-name cv-eks-cluster-role --assume-role-policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-cluster-trust-policy.json --region us-west-1 --profile default From ffab8630176372173ce32517b17c10e10ec12ffa Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Fri, 18 Aug 2023 13:10:24 -0500 Subject: [PATCH 22/42] adds region to the command and validates the creds to execute commands --- .github/workflows/cv-infrastructure.yml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/.github/workflows/cv-infrastructure.yml b/.github/workflows/cv-infrastructure.yml index 428771eba1..045aabcc92 100644 --- a/.github/workflows/cv-infrastructure.yml +++ b/.github/workflows/cv-infrastructure.yml @@ -20,10 +20,4 @@ jobs: aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID} aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY} aws configure set default.region us-west-1 - - - name: Create the role for the trust policy - run: | - env - cat ${GITHUB_WORKSPACE}/eksk8s/eks-cluster-trust-policy.json - aws iam create-role --role-name cv-eks-cluster-role --assume-role-policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-cluster-trust-policy.json --region us-west-1 --profile default - + aws iam create-role --role-name cv-eks-cluster-role --assume-role-policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-cluster-trust-policy.json From f9a9d0f0f44eaf18d857cbff7d07f10fa07c5e71 Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Fri, 18 Aug 2023 13:21:29 -0500 Subject: [PATCH 23/42] adds region to the command and validates the creds to execute commands --- .github/workflows/cv-infrastructure.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/cv-infrastructure.yml b/.github/workflows/cv-infrastructure.yml index 045aabcc92..a209d23640 100644 --- a/.github/workflows/cv-infrastructure.yml +++ b/.github/workflows/cv-infrastructure.yml @@ -20,4 +20,10 @@ jobs: aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID} aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY} aws configure set default.region us-west-1 + + - name: Create the role for the trust policy + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + run: | aws iam create-role --role-name cv-eks-cluster-role --assume-role-policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-cluster-trust-policy.json From b50e1ec75c43dac46d0e38537c4cdcd1b1b8461a Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Fri, 18 Aug 2023 13:34:17 -0500 Subject: [PATCH 24/42] sets the env vars for all the steps --- .github/workflows/cv-infrastructure.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/.github/workflows/cv-infrastructure.yml b/.github/workflows/cv-infrastructure.yml index a209d23640..8f98c6666e 100644 --- a/.github/workflows/cv-infrastructure.yml +++ b/.github/workflows/cv-infrastructure.yml @@ -8,22 +8,19 @@ jobs: runs-on: ubuntu-latest environment: name: develop + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} steps: - name: Checkout code uses: actions/checkout@v3.5.3 - name: Setup AWS credentials - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} run: | aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID} aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY} aws configure set default.region us-west-1 - name: Create the role for the trust policy - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} run: | aws iam create-role --role-name cv-eks-cluster-role --assume-role-policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-cluster-trust-policy.json From d3f9e9d57b4de857c4374df0cd4dd3a5c1ea4723 Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Mon, 21 Aug 2023 12:54:28 -0500 Subject: [PATCH 25/42] updates the name of the job and adds the step to attach the policy to the new role --- .github/workflows/cv-infrastructure.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cv-infrastructure.yml b/.github/workflows/cv-infrastructure.yml index 8f98c6666e..8dabaade4a 100644 --- a/.github/workflows/cv-infrastructure.yml +++ b/.github/workflows/cv-infrastructure.yml @@ -4,7 +4,7 @@ on: branches: - master jobs: - setup_aws_credentials: + setup_roles_and_policies: runs-on: ubuntu-latest environment: name: develop @@ -21,6 +21,10 @@ jobs: aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY} aws configure set default.region us-west-1 - - name: Create the role for the trust policy + - name: Creates the role for the trust policy run: | aws iam create-role --role-name cv-eks-cluster-role --assume-role-policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-cluster-trust-policy.json + + - name: Attaches the policy to the new role + run: | + aws iam put-role-policy --role-name eks-cluster-role --policy-name eks-cluster-policy --policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-cluster-policy.json From cc419cd888792e2ef39cffa761119a5da07bc2d9 Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Mon, 21 Aug 2023 13:01:44 -0500 Subject: [PATCH 26/42] updates the ubuntu runner and installs jq to extract values later --- .github/workflows/cv-infrastructure.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/cv-infrastructure.yml b/.github/workflows/cv-infrastructure.yml index 8dabaade4a..0ce2e52df1 100644 --- a/.github/workflows/cv-infrastructure.yml +++ b/.github/workflows/cv-infrastructure.yml @@ -12,6 +12,11 @@ jobs: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} steps: + - name: Setup the runner + run: | + sudo apt update -y + sudo apt install -y jq + - name: Checkout code uses: actions/checkout@v3.5.3 @@ -27,4 +32,4 @@ jobs: - name: Attaches the policy to the new role run: | - aws iam put-role-policy --role-name eks-cluster-role --policy-name eks-cluster-policy --policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-cluster-policy.json + aws iam put-role-policy --role-name cv-eks-cluster-role --policy-name eks-cluster-policy --policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-cluster-policy.json From 8b00ebb8cf6c331b27c9f6962809606842bfd3b1 Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Mon, 21 Aug 2023 13:13:09 -0500 Subject: [PATCH 27/42] moves to env vars cluster role and policy name and use them in the respective command --- .github/workflows/cv-infrastructure.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cv-infrastructure.yml b/.github/workflows/cv-infrastructure.yml index 0ce2e52df1..7fb22f1561 100644 --- a/.github/workflows/cv-infrastructure.yml +++ b/.github/workflows/cv-infrastructure.yml @@ -11,6 +11,8 @@ jobs: env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + CLUSTER_ROLE_NAME: cv-eks-cluster-role + CLUSTER_POLICY_NAME: cv-eks-cluster-policy steps: - name: Setup the runner run: | @@ -28,8 +30,8 @@ jobs: - name: Creates the role for the trust policy run: | - aws iam create-role --role-name cv-eks-cluster-role --assume-role-policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-cluster-trust-policy.json + aws iam create-role --role-name ${ROLE_NAME} --assume-role-policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-cluster-trust-policy.json - name: Attaches the policy to the new role run: | - aws iam put-role-policy --role-name cv-eks-cluster-role --policy-name eks-cluster-policy --policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-cluster-policy.json + aws iam put-role-policy --role-name ${ROLE_NAME} --policy-name ${CLUSTER_POLICY_NAME} --policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-cluster-policy.json From 06408dac37435be78e12719c32ff8dfbdcfd0899 Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Mon, 21 Aug 2023 13:15:05 -0500 Subject: [PATCH 28/42] removes unnecesary install of jq and updates the name of the env vars --- .github/workflows/cv-infrastructure.yml | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/.github/workflows/cv-infrastructure.yml b/.github/workflows/cv-infrastructure.yml index 7fb22f1561..77ce0fcda9 100644 --- a/.github/workflows/cv-infrastructure.yml +++ b/.github/workflows/cv-infrastructure.yml @@ -14,11 +14,6 @@ jobs: CLUSTER_ROLE_NAME: cv-eks-cluster-role CLUSTER_POLICY_NAME: cv-eks-cluster-policy steps: - - name: Setup the runner - run: | - sudo apt update -y - sudo apt install -y jq - - name: Checkout code uses: actions/checkout@v3.5.3 @@ -30,8 +25,8 @@ jobs: - name: Creates the role for the trust policy run: | - aws iam create-role --role-name ${ROLE_NAME} --assume-role-policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-cluster-trust-policy.json + aws iam create-role --role-name ${CLUSTER_ROLE_NAME} --assume-role-policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-cluster-trust-policy.json - name: Attaches the policy to the new role run: | - aws iam put-role-policy --role-name ${ROLE_NAME} --policy-name ${CLUSTER_POLICY_NAME} --policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-cluster-policy.json + aws iam put-role-policy --role-name ${CLUSTER_ROLE_NAME} --policy-name ${CLUSTER_POLICY_NAME} --policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-cluster-policy.json From 2ea1787ea3ee508949b9c6da51ffef32e7390599 Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Mon, 21 Aug 2023 13:29:44 -0500 Subject: [PATCH 29/42] adds the steps to create the role and to attach the policy for the nodegroup --- .github/workflows/cv-infrastructure.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/workflows/cv-infrastructure.yml b/.github/workflows/cv-infrastructure.yml index 77ce0fcda9..853f095805 100644 --- a/.github/workflows/cv-infrastructure.yml +++ b/.github/workflows/cv-infrastructure.yml @@ -13,6 +13,8 @@ jobs: AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} CLUSTER_ROLE_NAME: cv-eks-cluster-role CLUSTER_POLICY_NAME: cv-eks-cluster-policy + NODEGROUP_ROLE_NAME: cv-eks-nodegroup-role + NODEGROUP_POLICY_NAME: cv-eks-nodegroup-policy steps: - name: Checkout code uses: actions/checkout@v3.5.3 @@ -23,10 +25,18 @@ jobs: aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY} aws configure set default.region us-west-1 - - name: Creates the role for the trust policy + - name: Creates the role that will assume the trust policy to deal with the cluster run: | aws iam create-role --role-name ${CLUSTER_ROLE_NAME} --assume-role-policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-cluster-trust-policy.json - name: Attaches the policy to the new role run: | aws iam put-role-policy --role-name ${CLUSTER_ROLE_NAME} --policy-name ${CLUSTER_POLICY_NAME} --policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-cluster-policy.json + + - name: Creates the role to manage the node-group + run: | + aws iam create-role --role-name ${NODEGROUP_ROLE_NAME} --assume-role-policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-nodegroup-trust-policy.json + + - name: Attaches the policy for the node-group + run: | + aws iam put-role-policy --role-name ${NODEGROUP_ROLE_NAME} --policy-name ${NODEGROUP_POLICY_NAME} --policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-nodegroup-policy.json From 5faa55f4c1ff40bb8aa5eed442e0c910b9dfeb00 Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Mon, 21 Aug 2023 14:33:27 -0500 Subject: [PATCH 30/42] configures the yaml file to create the k8s eks cluster via eksctl --- .github/workflows/cv-infrastructure.yml | 4 ++++ eksk8s/cluster-config.yaml | 6 +++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cv-infrastructure.yml b/.github/workflows/cv-infrastructure.yml index 853f095805..6270ddc0dc 100644 --- a/.github/workflows/cv-infrastructure.yml +++ b/.github/workflows/cv-infrastructure.yml @@ -40,3 +40,7 @@ jobs: - name: Attaches the policy for the node-group run: | aws iam put-role-policy --role-name ${NODEGROUP_ROLE_NAME} --policy-name ${NODEGROUP_POLICY_NAME} --policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-nodegroup-policy.json + + - name: Creates the k8s cluster using eksctl + run: | + eksctl --version diff --git a/eksk8s/cluster-config.yaml b/eksk8s/cluster-config.yaml index d5e3b13710..050c0e9263 100644 --- a/eksk8s/cluster-config.yaml +++ b/eksk8s/cluster-config.yaml @@ -2,7 +2,7 @@ apiVersion: eksctl.io/v1alpha5 kind: ClusterConfig metadata: - name: eks-cluster + name: cv-eks-cluster region: us-west-1 vpc: @@ -18,9 +18,9 @@ vpc: securityGroup: sg-074fc7db95c8a8141 nodeGroups: - - name: eks-nodegroup + - name: cv-eks-nodegroup iam: - instanceRoleARN: arn:aws:iam::621328949821:role/eks-nodegroup-role + instanceRoleARN: arn:aws:iam::621328949821:role/cv-eks-nodegroup-role instanceType: t2.micro desiredCapacity: 2 ssh: From 3a0feba72a7cba5698eaf30773999d8063c1f405 Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Mon, 21 Aug 2023 14:40:04 -0500 Subject: [PATCH 31/42] setup the runner installing eksctl --- .github/workflows/cv-infrastructure.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/cv-infrastructure.yml b/.github/workflows/cv-infrastructure.yml index 6270ddc0dc..7bc11d6d22 100644 --- a/.github/workflows/cv-infrastructure.yml +++ b/.github/workflows/cv-infrastructure.yml @@ -19,6 +19,9 @@ jobs: - name: Checkout code uses: actions/checkout@v3.5.3 + - name: Setups the runner + run: ./scripts/pepe.sh + - name: Setup AWS credentials run: | aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID} From ad3f00fefa9f727f89f538190aa7c786bbff520c Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Mon, 21 Aug 2023 14:40:48 -0500 Subject: [PATCH 32/42] setup the runner installing eksctl --- .github/workflows/cv-infrastructure.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cv-infrastructure.yml b/.github/workflows/cv-infrastructure.yml index 7bc11d6d22..91a31243bd 100644 --- a/.github/workflows/cv-infrastructure.yml +++ b/.github/workflows/cv-infrastructure.yml @@ -20,7 +20,7 @@ jobs: uses: actions/checkout@v3.5.3 - name: Setups the runner - run: ./scripts/pepe.sh + run: ./scripts/eksctl-install.sh - name: Setup AWS credentials run: | From 2fe543c3546cda0298721d7e15d4cf2299be0258 Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Mon, 21 Aug 2023 14:41:41 -0500 Subject: [PATCH 33/42] setup the runner installing eksctl --- .github/workflows/scripts/eksctl-install.sh | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 .github/workflows/scripts/eksctl-install.sh diff --git a/.github/workflows/scripts/eksctl-install.sh b/.github/workflows/scripts/eksctl-install.sh new file mode 100644 index 0000000000..43a3bf5a36 --- /dev/null +++ b/.github/workflows/scripts/eksctl-install.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +ARCH=amd64 +PLATFORM=$(uname -s)_$ARCH + +curl -sLO "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_$PLATFORM.tar.gz" + +# (Optional) Verify checksum +curl -sL "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_checksums.txt" | grep $PLATFORM | sha256sum --check + +tar -xzf eksctl_$PLATFORM.tar.gz -C /tmp && rm eksctl_$PLATFORM.tar.gz + +sudo mv /tmp/eksctl /usr/local/bin \ No newline at end of file From 98946d695c93d19dd68759d1e29ee4585d22814b Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Mon, 21 Aug 2023 14:47:08 -0500 Subject: [PATCH 34/42] updates the path of the script file --- .github/workflows/cv-infrastructure.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cv-infrastructure.yml b/.github/workflows/cv-infrastructure.yml index 91a31243bd..6e951719b9 100644 --- a/.github/workflows/cv-infrastructure.yml +++ b/.github/workflows/cv-infrastructure.yml @@ -20,7 +20,7 @@ jobs: uses: actions/checkout@v3.5.3 - name: Setups the runner - run: ./scripts/eksctl-install.sh + run: sh $GITHUB_WORKSPACE/.github/scripts/eksctl-install.sh - name: Setup AWS credentials run: | From f899779e825a64344c29b6c9c0a4d2e257ccb942 Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Mon, 21 Aug 2023 14:48:11 -0500 Subject: [PATCH 35/42] updates the path of the script file --- .github/workflows/scripts/eksctl-install.sh | 13 ------------- 1 file changed, 13 deletions(-) delete mode 100644 .github/workflows/scripts/eksctl-install.sh diff --git a/.github/workflows/scripts/eksctl-install.sh b/.github/workflows/scripts/eksctl-install.sh deleted file mode 100644 index 43a3bf5a36..0000000000 --- a/.github/workflows/scripts/eksctl-install.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash - -ARCH=amd64 -PLATFORM=$(uname -s)_$ARCH - -curl -sLO "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_$PLATFORM.tar.gz" - -# (Optional) Verify checksum -curl -sL "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_checksums.txt" | grep $PLATFORM | sha256sum --check - -tar -xzf eksctl_$PLATFORM.tar.gz -C /tmp && rm eksctl_$PLATFORM.tar.gz - -sudo mv /tmp/eksctl /usr/local/bin \ No newline at end of file From 9ea53fcab71f6fd43e3e684150d0c305aeafb331 Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Mon, 21 Aug 2023 14:48:33 -0500 Subject: [PATCH 36/42] updates the path of the script file --- .github/scripts/eksctl-install.sh | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 .github/scripts/eksctl-install.sh diff --git a/.github/scripts/eksctl-install.sh b/.github/scripts/eksctl-install.sh new file mode 100644 index 0000000000..43a3bf5a36 --- /dev/null +++ b/.github/scripts/eksctl-install.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +ARCH=amd64 +PLATFORM=$(uname -s)_$ARCH + +curl -sLO "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_$PLATFORM.tar.gz" + +# (Optional) Verify checksum +curl -sL "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_checksums.txt" | grep $PLATFORM | sha256sum --check + +tar -xzf eksctl_$PLATFORM.tar.gz -C /tmp && rm eksctl_$PLATFORM.tar.gz + +sudo mv /tmp/eksctl /usr/local/bin \ No newline at end of file From c30549eae9f11248a28c0195c61952f7a0561ee9 Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Mon, 21 Aug 2023 14:51:24 -0500 Subject: [PATCH 37/42] creates the cluster --- .github/workflows/cv-infrastructure.yml | 2 +- eksk8s/README.MD | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cv-infrastructure.yml b/.github/workflows/cv-infrastructure.yml index 6e951719b9..2d799e2ff6 100644 --- a/.github/workflows/cv-infrastructure.yml +++ b/.github/workflows/cv-infrastructure.yml @@ -46,4 +46,4 @@ jobs: - name: Creates the k8s cluster using eksctl run: | - eksctl --version + eksctl create cluster -f ${GITHUB_WORKSPACE}/eksk8s/eksctl-config.yaml \ No newline at end of file diff --git a/eksk8s/README.MD b/eksk8s/README.MD index 7b31fe8904..1e808a4391 100644 --- a/eksk8s/README.MD +++ b/eksk8s/README.MD @@ -15,4 +15,6 @@ With regard to the file eks-cluster-policy.json: "Resource": "*" // * means that the already defined actions could be applied to any EKS cluster in the account } ] -} \ No newline at end of file +} + +In the file eksk8s/cluster-config.yaml the key nodeGroups.iam.instanceRoleARN has the value=arn:aws:iam::62132xxxx821:role/cv-eks-nodegroup-role. In a real project this file should be created using jinja/cookicutter in a previous step. This file should never have hard-coded values. However, for educational purposes/save time these values are hardcoded in the file. \ No newline at end of file From 45414ebc3425fa2da341d33f579ff3413a4f70c2 Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Mon, 21 Aug 2023 14:57:09 -0500 Subject: [PATCH 38/42] uses the correct file to create the cluster using eksctl --- .github/workflows/cv-infrastructure.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cv-infrastructure.yml b/.github/workflows/cv-infrastructure.yml index 2d799e2ff6..a35b7f6837 100644 --- a/.github/workflows/cv-infrastructure.yml +++ b/.github/workflows/cv-infrastructure.yml @@ -46,4 +46,4 @@ jobs: - name: Creates the k8s cluster using eksctl run: | - eksctl create cluster -f ${GITHUB_WORKSPACE}/eksk8s/eksctl-config.yaml \ No newline at end of file + eksctl create cluster -f ${GITHUB_WORKSPACE}/eksk8s/cluster-config.yaml \ No newline at end of file From ac8f9fe01bd62ea88b354121e49cabf042cdfe6e Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Mon, 21 Aug 2023 15:15:42 -0500 Subject: [PATCH 39/42] create the ssh key files getting the values from the secrets repo --- .github/workflows/cv-infrastructure.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/cv-infrastructure.yml b/.github/workflows/cv-infrastructure.yml index a35b7f6837..27f6c6d4ba 100644 --- a/.github/workflows/cv-infrastructure.yml +++ b/.github/workflows/cv-infrastructure.yml @@ -11,6 +11,8 @@ jobs: env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} + SSH_PUBLIC_KEY: ${{ secrets.SSH_PUBLIC_KEY }} CLUSTER_ROLE_NAME: cv-eks-cluster-role CLUSTER_POLICY_NAME: cv-eks-cluster-policy NODEGROUP_ROLE_NAME: cv-eks-nodegroup-role @@ -19,9 +21,14 @@ jobs: - name: Checkout code uses: actions/checkout@v3.5.3 - - name: Setups the runner + - name: Setup the runner run: sh $GITHUB_WORKSPACE/.github/scripts/eksctl-install.sh + - name: Setup the keys used to create the k8s cluster + run: | + echo $SSH_PRIVATE_KEY > $HOME/.ssh/k8s + echo $SSH_PUBLIC_KEY > $HOME/.ssh/k8s.pub + - name: Setup AWS credentials run: | aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID} From 72490f4db91ab242a8bf5f9022c39801125065cf Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Mon, 21 Aug 2023 15:19:36 -0500 Subject: [PATCH 40/42] creates the .ssh directory --- .github/workflows/cv-infrastructure.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/cv-infrastructure.yml b/.github/workflows/cv-infrastructure.yml index 27f6c6d4ba..bb2db10f72 100644 --- a/.github/workflows/cv-infrastructure.yml +++ b/.github/workflows/cv-infrastructure.yml @@ -26,6 +26,7 @@ jobs: - name: Setup the keys used to create the k8s cluster run: | + mkdir $HOME/.ssh/ echo $SSH_PRIVATE_KEY > $HOME/.ssh/k8s echo $SSH_PUBLIC_KEY > $HOME/.ssh/k8s.pub From d51df7f71f93ffac38ce61329a0d7d4c46cd4f96 Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Mon, 21 Aug 2023 18:02:40 -0500 Subject: [PATCH 41/42] adds new comments and separates the setup of the roles and policies from the creation of the cluster --- .github/workflows/cv-infrastructure.yml | 26 ++++++++++++++++--------- eksk8s/README.MD | 6 +++++- 2 files changed, 22 insertions(+), 10 deletions(-) diff --git a/.github/workflows/cv-infrastructure.yml b/.github/workflows/cv-infrastructure.yml index bb2db10f72..7d712850f3 100644 --- a/.github/workflows/cv-infrastructure.yml +++ b/.github/workflows/cv-infrastructure.yml @@ -11,8 +11,6 @@ jobs: env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} - SSH_PUBLIC_KEY: ${{ secrets.SSH_PUBLIC_KEY }} CLUSTER_ROLE_NAME: cv-eks-cluster-role CLUSTER_POLICY_NAME: cv-eks-cluster-policy NODEGROUP_ROLE_NAME: cv-eks-nodegroup-role @@ -24,12 +22,6 @@ jobs: - name: Setup the runner run: sh $GITHUB_WORKSPACE/.github/scripts/eksctl-install.sh - - name: Setup the keys used to create the k8s cluster - run: | - mkdir $HOME/.ssh/ - echo $SSH_PRIVATE_KEY > $HOME/.ssh/k8s - echo $SSH_PUBLIC_KEY > $HOME/.ssh/k8s.pub - - name: Setup AWS credentials run: | aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID} @@ -52,6 +44,22 @@ jobs: run: | aws iam put-role-policy --role-name ${NODEGROUP_ROLE_NAME} --policy-name ${NODEGROUP_POLICY_NAME} --policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-nodegroup-policy.json + create_the_cluster: + runs-on: ubuntu-latest + needs: setup_roles_and_policies + environment: + name: develop + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} + SSH_PUBLIC_KEY: ${{ secrets.SSH_PUBLIC_KEY }} + steps: + - name: Setup the keys used to create the k8s cluster + run: | + mkdir $HOME/.ssh/ + echo $SSH_PRIVATE_KEY > $HOME/.ssh/k8s + echo $SSH_PUBLIC_KEY > $HOME/.ssh/k8s.pub - name: Creates the k8s cluster using eksctl run: | - eksctl create cluster -f ${GITHUB_WORKSPACE}/eksk8s/cluster-config.yaml \ No newline at end of file + eksctl create cluster -f ${GITHUB_WORKSPACE}/eksk8s/cluster-config.yaml diff --git a/eksk8s/README.MD b/eksk8s/README.MD index 1e808a4391..c9bdc2d637 100644 --- a/eksk8s/README.MD +++ b/eksk8s/README.MD @@ -17,4 +17,8 @@ With regard to the file eks-cluster-policy.json: ] } -In the file eksk8s/cluster-config.yaml the key nodeGroups.iam.instanceRoleARN has the value=arn:aws:iam::62132xxxx821:role/cv-eks-nodegroup-role. In a real project this file should be created using jinja/cookicutter in a previous step. This file should never have hard-coded values. However, for educational purposes/save time these values are hardcoded in the file. \ No newline at end of file +In the file eksk8s/cluster-config.yaml the key nodeGroups.iam.instanceRoleARN has the value=arn:aws:iam::62132xxxx821:role/cv-eks-nodegroup-role. In a real project this file should be created using jinja/cookicutter in a previous step. This file should never have hard-coded values. However, for educational purposes/save time these values are hardcoded in the file. + +This key pair was created in aws console. It is possible to do it using the command to create it. This step involves pushing (uploading) the keys to aws via aws cli or somehow. + +The subnets were also created by hand in the aws console. \ No newline at end of file From e7f5dffc81d300ae405dd4c8aff4746bc54eaab6 Mon Sep 17 00:00:00 2001 From: Carlos Valarezo Date: Mon, 21 Aug 2023 18:04:34 -0500 Subject: [PATCH 42/42] moves to infrastructure branch and updates the workflow --- .github/workflows/cv-infrastructure.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cv-infrastructure.yml b/.github/workflows/cv-infrastructure.yml index 7d712850f3..ba0ecb08b9 100644 --- a/.github/workflows/cv-infrastructure.yml +++ b/.github/workflows/cv-infrastructure.yml @@ -2,7 +2,7 @@ name: Create AWS infrastructure on: push: branches: - - master + - infrastructure jobs: setup_roles_and_policies: runs-on: ubuntu-latest